I’m new to encryption and android and so asking this question.
How does the applications like password manager, password safe, etc. handle the AES encryption, they all claim their app is safe and secure. But my question is, if the passwords are stored on the device database, and the key used is in the code, there’s simply no way to completely make it secure. Because in case the device was hacked, the app can be reverse engineered and the key/code could be easily obtained. Even if the code is obfuscated, the key could still be obtained from the obfuscated code, right? It may just be harder with obfuscation but not impossible.
Or is there a different way these applications handle the encryption?
I’m making a similar application and so I really wanted to know what a good encryption key would be and the best place/way to store it. I’ don’t want to access the key remotely from the app.
Thanks in advance.
A password manager should use a kind of “master password” to secure its key. Normally this is done by generating an encryption key off a password with PBKDF2 (Password-Based Key Derivation Function). Thus the user has to enter the password before the application is able to decrypt the data.
If your application includes the key in any form it is insecure by design.